Equitable Holdings, Inc. - (EQH)

10-K Filing Date: February 26, 2024
Part I, Item 1C.
CYBERSECURITY
Overview of Our Cybersecurity Risk Management
Equitable’s cybersecurity program (the “Program”) is based on, and leverages industry-leading frameworks, including the National Institute of Standards and Technology Framework Cyber Security Framework (“NIST CSF”). The NIST CSF provides standards, guidelines and best practices on managing cybersecurity risk, as well as the organization, improvement and assessment of the Program. Equitable’s Chief Information Security Officer (“CISO”), who reports to its Chief Information Officer, manages the Program through an information security team organized into five functional areas (as outlined below), the CISO establishes and monitors compliance with our internal controls using published standards, cybersecurity software and similar tools, and control assurance reviews. These five areas also work closely with our information technology team to provide expertise and guidance to help manage risks and controls related to cybersecurity.
The information security team’s five functional areas consist of:
Information Security Governance, Risk and Strategic Program Management – this includes cybersecurity policy lifecycle and regulatory change management, enterprise and role-based security awareness and training programs (including phishing campaigns), cyber risk management, strategy and program management and communications and reporting.
Information Security Compliance – this includes cybersecurity assurance reviews, acting as a liaison for cybersecurity-related regulatory reviews and audits (both internal and external), support for third-party vendor security reviews, and IT financial controls oversight.
Security Operations and Intelligence – this includes security operations center management, cyber incident lifecycle management, threat intelligence monitoring, vulnerability management and tabletop exercises.
Identity and Access Management – this includes identity governance and administration, access recertification, and management of multi-factor authentication processes and password vaults.
Security Architecture and Engineering – this includes establishing cybersecurity-related technical standards and baselines, reviews of any proposed exceptions to those standards, participating in architectural and software review processes and providing security engineering services for cybersecurity tools/solutions as well as with IT network and infrastructure teams.
Equitable continues to prioritize the security of its technology and sensitive data through investments in cybersecurity detection and prevention technologies as well as employee communications and training. Equitable recently launched a cyber-incident readiness program, and regularly conducts cyber exercises and readiness assessments, penetration testing and independent control reviews to validate and protect the confidentiality, integrity and availability of our information systems. Equitable also conducts annual security awareness training and periodic phishing simulation exercises to train employees to recognize and report phishing attacks, as well as other supplemental training organized by the information security team.
Equitable also regularly engages external consultants to develop or refresh target operating models, roadmaps, and new technologies and solutions for managing key cybersecurity risks. These engagements provide an external view that incorporates solutions to address evolving technologies and threats, and also aids with strategic alignment of vendors to achieve cyber risk reduction goals in a cost-effective manner. External consultants also perform penetration testing, advise on cyber incident response preparedness, conduct tabletop exercises, support security operations center activities, and perform third-party vendor cyber risk reviews.
The Program uses a risk-based approach to requiring Equitable’s third-party service providers to maintain security controls designed to ensure the integrity, confidentiality, and availability of the providers’ systems and the confidential and sensitive information that the provider maintains and processes on Equitable’s behalf. A third-party service provider risk team performs cybersecurity assessments on third-party service providers with support from information security compliance to evaluate the
62


provider’s controls based on the level of risk that the provider’s services or solutions may present to Equitable. Relevant provisions of service provider contracts require providers to implement enhanced or heightened levels of controls, as applicable. This assessment is a part of Equitable’s overall corporate sourcing and procurement management process, and the corporate sourcing and procurement team separately tracks and reports any exceptions or compliance action plans to the same executive management-level committees to which the CISO provides cybersecurity risk updates, as discussed more fully below.
Equitable also maintains an Operational Resilience program managed by the enterprise risk management function that aims to protect its people, customers, and brand by sustaining critical services at defined levels while responding to expected and unexpected disruptions and adapting to changes in its operating environment. The Operational Resilience program includes a consultative process to identify critical resources across the organization to prioritize for recovery during a crisis such as business processes, applications, staffing, hardware/software and recovery timeframes. Under that program, both critical and non-critical applications are required to have a documented application recovery plan, and all business units are required to have a documented business continuity plan. Each of these plans is required to be certified annually and is tested periodically, with test results tracked and documented for distribution to designated management teams.
During the fiscal year of this Report, Equitable has not identified risks from cybersecurity threats that have materially affected or are reasonably anticipated to materially affect the organization. Nevertheless, it recognizes that cybersecurity threats are ongoing and evolving, and we continue to remain vigilant. For more information on our cybersecurity risks, see “Risk Factors—Risks Relating to Our Operations—Failure to protect the confidentiality of customer information or proprietary business information” and “Risk Factors—Risks Relating to Our Operations—Failure” to protect the confidentiality, integrity, or availability of customer information or proprietary business information.
Governance of Cybersecurity Risk Management
The Program — overseen by the CISO, who has over 20 years of experience in cybersecurity roles, holds over 10 cyber-related industry certifications, is a Series 99 FINRA licensed Operations Professional, and has a Bachelor of Science degree in Computer Systems & Networking as well as a Master’s degree in business administration — is integrated into Equitable’s overall Enterprise Risk Management (ERM) program to identify, evaluate and manage risks, which is managed by Equitable’s risk management area and overseen by its Chief Risk Officer, who reports directly to its Chief Executive Officer. Under the ERM program, cybersecurity risks are evaluated alongside and consistent with the evaluation of other business risks, with the information security team providing subject matter expertise with respect to the identification, assessment, and tracking of cybersecurity risks pursuant to guidelines established as part of the ERM program. Various cross-functional committees within Equitable also meet on a regular basis to review risks, mitigation plans and projects that impact Equitable’s information technology systems. In addition, Equitable’s Program is assessed on at least an annual basis by its internal audit function, including an assessment of control effectiveness related to designated risk scenarios.
The information security team also works with other areas of Equitable, including enterprise risk management, data privacy, compliance, internal audit, and fraud to coordinate and align (i) risk management processes (e.g., identification, assessment, and management), and (ii) reporting to senior management, the Board of Directors and certain committees thereof. More specifically, the information security team uses its subject matter expertise to tailor the risk assessment process for evaluation of cybersecurity risks while enterprise risk management establishes overall corporate risk policy and risk tolerance levels. In addition, a cross-functional team which includes members of the above-referenced areas routinely monitors threat intelligence feeds and evaluates emerging threats. Key risks are escalated and reported to executive management and the Board or committees thereof, via (i) an established cadence of at least quarterly cybersecurity updates, (ii) an incident response plan with respect to risks related to cybersecurity incidents meeting a defined threshold, and (iii) ad hoc meetings between the CISO and executive management and/or Board members as necessary.
The CISO provides regular updates regarding the Program and cybersecurity risks to Equitable’s Information Risk and Data Protection committee, comprised of members of executive management, and also provides quarterly updates to the Audit Committee of Equitable’s Board of Directors, which oversees cybersecurity risk. In addition to receiving quarterly updates from the CISO, the Audit Committee receives reports on cybersecurity risks from our internal audit function, and also periodically receives reports from an external cybersecurity advisor. The Board receives quarterly reports from the Audit Committee, and also receives at least annual updates on the Program and cybersecurity risks from the CISO.The CISO also meets on an individual basis at least quarterly, or more frequently as needed, with members of executive management with cybersecurity oversight responsibility, and has the authority to escalate disagreements with management regarding cybersecurity risks and management of such risks directly to the Board of Directors.
63


Periodic updates regarding the Operational Resilience program are provided by Equitable’s Chief Risk Officer or a designee to its Audit Risk and Compliance Committee, comprised of members of executive management, as well as the Information Risk and Data Protection Committee and the Audit Committee.
Under Holdings’s service agreement with Equitable Financial, Equitable Financial provides personnel services, employee benefits, facilities, supplies and equipment to Holdings to conduct its business. Included in these services are the cybersecurity monitoring and oversight procedures described herein.
The information contained herein does not apply to Holdings’s subsidiary, AllianceBernstein (AB), which has its own information systems and cybersecurity program to address cybersecurity risks associated with those systems. That program includes reporting of cybersecurity incidents impacting AB’s information systems to our CISO if they meet a defined threshold. For additional information regarding AB’s cybersecurity program, see Part I, Item 1C of AB’s Annual Report on Form 10-K for the year ended December 31, 2023.